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Security is more than just compliance 
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Compliance 

Measure of processes and procedures 
Conformity with policy and directive 
© Reporting against rules 



Security 

Protecting information & systems 

O Misuse 

O Attack 

Information loss/disclosure 
Confidentiality, integrity and availability 
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Security is this and more.... 



©Trojans 
OPhishing attacks 
©Insider threats 
OAPTs 
Social engineering 
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Security Factors 

ODynamic nature 
OPro-active vs reactive 
Strategic vs tactical 
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Dynamic landscape 



©Targets are getting bigger 
©Attacks more frequent 
Variable in nature 
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Dynamic landscape 

©Uncertainty is a given 
OLarge scale deployments 
©Massive data volume to monitor 
©You can't set the rules 
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Dynamic Landscape 



So a SIEM must: 

©Be horizontal and vertically scalable 
©Collect all of the data all of the time 
©Real time interpretation of all events 
©Timely alerting 
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Proactive vs Reactive 



OMost go undetected 
©Losses becoming greater 
90% of time breach detectable* 
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Proactive vs Reactive 

OTime is of the essence 

OLoss prevention 

OAII silos - no blind spots 
OJoin the dots for real time 
Threat mitigation 
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Proactive vs Reactive 




SoaSIEM must: 

ODo more than historical archive & reporting 
OEnsure reliable evidential archive 
ONot depend on pre-defined rules alone 
OPrioritise and mitigate threats 
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Strategic vs Tactical 



©Integrated security solutions 
©Local picture 

Global perspective 

Security intelligence 
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Strategic vs tactical 

OBeyond rules: quantify and qualify 
©Event contextualisation 
ORisk profile based threat 
©Completeness of vision 
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Strategic vs Tactical 



The more the data you analyse the better the decision 

So a SIEM must: 

©Enterprise-wide monitoring across silos 
Build knowledge base for data enrichment 



OHigh speed analysis to continuously join the dots 
©Behavioural based anomaly detection 
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Integrated Security Platform 
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SIEM: security is more than compliance 



Security Management 




Compliance 




nformation Assurance 
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Security is not Compliance 



SIEM: security is more than compliance 



OScalable to meet changing security needs 
OCorrelate and investigate real time 
©Evidential records suitable for interrogation 
©Identify anomalous or suspicious events 
>Timely alerting of prioritised threats 
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Good SIEM Foundation 



vv*-* 



Building a good SIEM Foundation 



"You get what you give, What you put into things is what you get 
out of them" 



"The Foundation of every SIEM is the quality of the data it is 
capturing" 
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Good SIEM Foundation 



Centralised Capture and Consolidation 

Real time collection 

Value of Security Data diminishes over time 
Original Data Capture for evidential replay 

Event time synchronization 
Multiple Time Stamps 
Internal Event Time Sync 

© Normalisation of data 

Structure data in searchable columns and rows 
Single Query across multiple different data sources 

© Scalable architecture 

Ability to handle variability in data volumes 
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Good SIEM Foundation 



Alerting and Reporting 
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O Real time alerts 

Faster Remediation 
Reduce Impact 

O Multi dimensional analysis 
Static Rules Base Analysis 
Dynamic Behavioral Analysis 

©External data enrichment 

Import and leverage user knowledge base 

Correlate with external data stores to validate and 
enrich alerts. (Vulnerability assessment, 1AM, 
CMDBetc) 
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Example Scenario 



Unusual Activity - Alert base on Behavioural 
Analysis and external user information correlation 
from 1AM 

File Change and Privilege Access- Alert base 
on Correlation between Abnormal File Change 
with recent unusual activity, flag the server as 
High Risk 

Port Scan - Alert on Port Scan coming from 
High Risk Server 

Potential Compromise Servers - Generate 
report from a single query to identify potential 
Compromised Servers 

Identify Source - Identify the Initial Source of 
the Attack. 




Hacker Searches for more 
machines to compromise 



Firewall 



Corporate Server 



Privilege Access 




Important Files 

User Private 

Information, 

Transaction Details etc 
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Corporate Server 

Holds user 

information and 

transactions 
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Threat 

Disgruntled Employee, 
Hacker etc 
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